Basic authentication and test authentication from ProxySG Management Console may fail for users in the foreign domain

book

Article ID: 168268

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The previous implementation for test/basic authentication was going to a KDC from the user's domain and using Kerberos in the back end to authenticate the user. It's failing because the appliance thinks that domain is offline because the appliance must have been unable to connect to a DC from the user's domain when it tried.
 
In SGOS 6.5.5.2 and later, the appliance does NTLM on the back-end for basic/test authentication (just like BCAAA). It takes the basic credentials and issues an NTLM request. The appliance acts as the NTLM client. In that case, for basic and test authentication, the appliance will be sending an NTLM request to a DC from its domain, and that DC will forward the request to a DC from the user's domain (foreign domain in this case). It won't matter if the appliance thinks the user's domain is offline, because it won't have to talk directly to the DC in the user's domain.

The new implementation in 6.5.5.2 and later that uses NTLM doesn't require the appliance to connect directly to a DC from the user's domain.
 

Resolution

This is fixed in SGOS 6.5.5.2 or later.

Workaround

Make sure that appliance can also talk directly to the DCs in the foreign domain.